[tor-reports] September 2014 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Thu Oct 2 07:28:30 UTC 2014

In September, the Tor Browser team made four releases: 3.6.5, 3.6.6,
4.0-alpha-2, and 4.0-alpha-3[1,2,3].

3.6.5 and 4.0-alpha-2 were both described in our August status report.
The work for those releases was done in August, it just happened that
the release date itself fell on September 2nd.

3.6.6 and 4.0-alpha-3 were released to deal with a "chemspill"
out-of-cycle Firefox release due to a TLS certificate forging
vulnerability in NSS[4]. Several Mozilla engineers ensured that we had
as much advanced notice as possible, and despite the last minute rush,
we were able to release 3.6.6 on the same day as Mozilla released
Firefox 24.8.1, and 4.0-alpha-3 the next day.

We also took this opportunity to fix a startup hang[5] and a disk leak
issue[6] in 3.6.6.

In 4.0-alpha-3, we also identified and fixed several issues with the
updater.  We noticed that 4.0-alpha-2 would be unable to update to our
new Firefox 31-based TBBs due to a versioning issue[7]. We also
discovered that non-English users would be updated to the English TBB,
due to a conflict with our locale spoofing mechanisms[8]. We also
reduced the amount of information sent by TBB clients while updating.
The original Firefox updater sent the OS version and GUI library version
as URL parameters to the update server. We modified our update server
scripts to provide this information inside of the response document
without the need for URL parameters, so that TBB clients can merely
inspect the document for their OS version, rather than telling the
server about them[9].

With these fixes, we had several successful reports of people updating
from 4.0-alpha-2 to 4.0-alpha-3. Note again that for safety and
stability, these updates are still not fully automatic yet. You must go
into "Help->About Tor browser->Check for Updates" to trigger the update

The rest of September was spent rebasing our patches and reviewing,
testing, and updating everything to work with Firefox 31 ESR. This was
no small task (the full set of tickets can be seen with the ff31-esr
tag[10]), but we're pleased to report that by the end of the month, we
produced working "nightly" snapshot binaries for all three
platforms[11]. These snapshot binaries were also fully reproducible.
Georg and I both independently compiled the entire Firefox 31-based TBB
distribution and our binaries exactly matched the nightlies,

The full list of tickets closed by the Tor Browser team in September can
be seen using the TorBrowserTeam201409 tag on our bugtracker[12].

In October, our focus will be on finishing our remaining rebasing work
by October 14th for the official end-of-life of Firefox 24. The
remaining tickets can be seen by viewing the ff31-esr tag link[13]. Once
this work is finished, we will be releasing 4.0-stable, with all of the
changes in the 4.0-alpha series. At this point, we'll also update all of
our upstream Mozilla tickets with the new versions of our patches[14].

On top of this, we're eager to set up a Mozilla Persona testing server
to evaluate it for potential use as an abuse mitigation strategy[14].
We're also excited to debut our "Security Slider" in an alpha by the end
of the month[15], and make progress on the underlying plumbing for
circuit and exit node status reporting in the browser[16,17,18]. We will
also be investigating several pending Mozilla patches for potential

The full list of tickets that the Tor Browser team plans to work on in
October can be seen using the TorBrowserTeam201410 tag on our

1. https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-released
2. https://blog.torproject.org/blog/tor-browser-366-released
3. https://blog.torproject.org/blog/tor-browser-40-alpha-3-released
4. https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
5. https://trac.torproject.org/projects/tor/ticket/10804
6. https://trac.torproject.org/projects/tor/ticket/12998
7. https://trac.torproject.org/projects/tor/ticket/13049
8. https://trac.torproject.org/projects/tor/ticket/13245
9. https://trac.torproject.org/projects/tor/ticket/13047
10. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~ff31-esr
11. https://lists.torproject.org/pipermail/tor-qa/2014-October/000474.html
12. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201409&status=closed
13. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff31-esr
14. https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20whiteboard:[tor]
15. https://trac.torproject.org/projects/tor/ticket/12193
16. https://trac.torproject.org/projects/tor/ticket/3455
17. https://trac.torproject.org/projects/tor/ticket/8641
18. https://trac.torproject.org/projects/tor/ticket/5752
19. https://trac.torproject.org/projects/tor/ticket/13033
20. https://trac.torproject.org/projects/tor/ticket/11955
21. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201410

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20141002/073f8e95/attachment-0001.sig>

More information about the tor-reports mailing list